The Internet's Immune System

Jamie Reid Jamie.Reid at
Wed Nov 12 23:56:50 UTC 2003

It would be useful if these sites allowed you to query them with CIDR ranges to 
see if your site had originated any traffic that triggered their sensor arrays. The 
IDS community never seems to have wrapped its collective head around routing 
information. Looking up single IP addrs is just cosmetic. A real service would 
allow for concerned sites to check their entire address allocations. 

The solution we have takes a massive amount of data munging of a routing
table and is still experimental, but until attacks can be mapped to meaningful Internet
topographical information, the real value of these distributed IDS efforts cannot be fully 

I can forsee the argument that people shouldn't be able to look up other sites
which might be compromised, but if they are really so concerned, they should 
get their sites patched. 

Jamie.Reid, CISSP, jamie.reid at
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
>>> "Bryan Bradsby" <Bryan.Bradsby at> 11/12/03 04:25pm >>>

> Devise a system that assumes owners of IP space WANT to know about problems.
> report --open-proxy <logfiles
> and have a report sent to whoever needed to know about it.

-bryan bradsby
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TEXT.htm
URL: <>

More information about the NANOG mailing list